[coreboot] How is CONFIG_TPM selected?
Julius Werner
jwerner at chromium.org
Tue Aug 16 21:26:39 CEST 2016
> On a related topic, is there a reason to wait to enable the TPM? Looking
> at src/northbridge/intel/sandybridge/romstage.c, it isn't enabled until
> after the MRC cache has been read from the read-write portions of the
> flash chip, which could potentially compromise the root of trust.
No, I think that's just the way it grew historically. Note that
init_tpm() is part of older code which is not using src/lib/tlcl.c and
isn't really part of the way the main vboot code uses the TPM. (Also,
in vboot the TPM is just used for lockable NVRAM storage, it's not
really part of the root of trust.)
More information about the coreboot
mailing list